fix(audit): comprehensive 2026-05-15 audit fix wave + Documenso v2 polish

Bundles the prior session's 50-task fix sweep (Documenso v2 + EOI/signing-
progress redesign + env-to-admin migration + dev-mode banner) with the
2026-05-18 audit fix wave (3 CRITICAL, 14 HIGH, 28 MEDIUM, 6 LOW).

CRITICAL (3):
 - C-01 interest-berths INNER JOIN -> LEFT JOIN so hard-deleted berths
   no longer silently drop interest links
 - C-02 /setup added to PUBLIC_PATHS; fresh-deploy bootstrap loop fixed
 - C-03 generic PATCH /interests/[id] no longer accepts pipelineStage —
   callers must go through /stage with the override-guard chain

HIGH (14/15):
 - H-01 explicit ON DELETE on previously-implicit NO ACTION FKs across
   interests/documents/reservations/reminders/invoices (migration 0070)
 - H-02 login page reads ?redirect= param with same-origin guard
 - H-03 CRM invite token moves to URL fragment so it never lands in
   nginx access logs / Referer headers
 - H-04 Retry-After header on sign-in-by-identifier 429 (RFC 6585 §4)
 - H-05 toggleAccount writes an audit row
 - H-06 upsertSetting masks any value whose key ends with _encrypted
 - H-07 archiveClient cascade fires per-interest audit rows
 - H-08 createSalesTransporter applies SMTP_TIMEOUTS
 - H-09 AppShell stable children — viewport flip across breakpoint no
   longer destroys in-progress form drafts
 - H-10 portal documents page swaps Unicode glyph status icons for
   Lucide CheckCircle2/XCircle/Circle + aria-labels
 - H-12 list components swap alert(...) for toast.warning(...)
 - H-13 5 icon-only buttons gain aria-label
 - H-14 parseBody treats empty bodies as {}
 - H-15 admin layout renders a 403 panel instead of silent bounce
 - H-11 not applicable — mobile-search-overlay IS a mobile bottom-sheet

MEDIUM (28+):
 - M-MT01-05 defense-in-depth port_id/parent-id filters on UPDATE/DELETE
   WHEREs across custom-fields, notes (all 6 entity types x update +
   delete), client-contacts, yacht ownerClient lookup, webhook reads
 - M-D01 documents-hub realtime event-name typo (file:created -> uploaded)
 - M-EM01 portal-auth emails thread through portId
 - M-EM02 sendEmail accepts cc/bcc params
 - M-EM04 notification_digest catalog key
 - M-IN01 portal presigned download URLs use 4h TTL
 - M-IN02 OpenAI client lazy-instantiated
 - M-IN04 stale pdfme refs updated to pdf-lib AcroForm
 - M-IN05 umami.testConnection returns tagged union
 - M-L01 reservations tenure_type unified with berths
 - M-L02 report-generators canonicalize stage values
 - M-AU01 audit log placeholder copy fixed
 - M-AU04 outcome_set / outcome_cleared distinct audit verbs
 - M-NEW-2 activity feed entity name+type separator
 - M-R01 portal allowlist narrowed + portal_session backstop in proxy
 - M-SC02 companies archived partial index
 - M-SC04 audit_logs.searchText documented as DB-managed
 - M-S01 storage_s3_access_key_encrypted admin field
 - M-U01 audit log empty state uses <EmptyState>
 - M-U09 invoice delete dialog -> <AlertDialog>
 - M-U10 toast.success on ClientForm + InterestForm create/edit
 - M-U11 settings-form-card logo preview alt text
 - M-U14 mobile topbar title on clients/yachts/interests/berths
 - M-U15 Invoices in mobile More-sheet

LOW (6/8):
 - L-AU01 severity defaults for security-relevant verbs
 - L-AU02 +13 missing actions in admin audit filter
 - L-AU03 +7 missing entity types in admin audit filter
 - L-AU04 dead listAuditLogs stubbed
 - L-D02 CLAUDE.md Owner-wins chain tightened

Bonus — Document detail polish (#67 partial, 3/6 deliverables):
 - state-aware action button per signer
 - watcher Add UI with display-name resolution
 - cleanSignerName cleanup

Prior session work bundled in:
 - Documenso v2 webhook + envelope-ID normalization + sequential signing
 - SigningProgress UI redesign (avatars, per-signer state, timestamps)
 - env->admin settings registry + RegistryDrivenForm + encrypted creds
 - Embedded-signing card + Test connection + setup help
 - Dev-mode EMAIL_REDIRECT_TO banner
 - Pipeline rules admin page
 - Sales email config card
 - Audit log details Sheet
 - EOI tab: Finalising badge, absolute timestamps, sequential indicator
 - Notes pipeline_stage_at_creation (migration 0069)
 - Documenso numeric ID dual-key webhook (migration 0068)
 - Dimensions criterion copy (migration 0067)

Tests: 1374/1374 vitest pass. tsc clean. lint clean.

See docs/AUDIT-FIX-WAVE-2026-05-18.md for the full progress report and
the user-input items still pending.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/app/(dashboard)/[portSlug]/admin/documenso/page.tsx

@@ -4,148 +4,15 @@ import {
   SettingsFormCard,
   type SettingFieldDef,
 } from '@/components/admin/shared/settings-form-card';
+import { RegistryDrivenForm } from '@/components/admin/shared/registry-driven-form';
 import { DocumensoTestButton } from '@/components/admin/documenso/documenso-test-button';
+import { EmbeddedSigningCard } from '@/components/admin/documenso/embedded-signing-card';
+import { TemplateSyncButton } from '@/components/admin/documenso/template-sync-button';
 import { PageHeader } from '@/components/shared/page-header';
 import { Card, CardContent, CardHeader, CardTitle } from '@/components/ui/card';
 
-const API_FIELDS: SettingFieldDef[] = [
-  {
-    key: 'documenso_api_url_override',
-    label: 'API URL override',
-    description:
-      'Optional. Falls back to DOCUMENSO_API_URL env when blank. Bare host only — never include /api/v1; the client appends versioned paths based on the API version below.',
-    type: 'string',
-    placeholder: 'https://documenso.example.com',
-    defaultValue: '',
-  },
-  {
-    key: 'documenso_api_key_override',
-    label: 'API key override',
-    description: 'Optional. Falls back to DOCUMENSO_API_KEY env when blank. Stored in plain text.',
-    type: 'password',
-    defaultValue: '',
-  },
-  {
-    key: 'documenso_api_version_override',
-    label: 'API version',
-    description:
-      'Which Documenso REST API this port targets. v1 = Documenso 1.13.x stable. v2 = Documenso 2.x with the envelope model and richer per-field metadata. Test the connection after switching. See the v2 benefits card above for what changes when you flip this — and note that template-based EOI generation still uses the v1 formValues shape regardless of this setting (v2 template/use migration is on the roadmap).',
-    type: 'select',
-    options: [
-      { value: 'v1', label: 'v1 — Documenso 1.13.x (default, stable)' },
-      { value: 'v2', label: 'v2 — Documenso 2.x (envelope, recommended for new ports)' },
-    ],
-    defaultValue: 'v1',
-  },
-];
-
-const SIGNER_FIELDS: SettingFieldDef[] = [
-  {
-    key: 'documenso_developer_name',
-    label: 'Developer signer — name',
-    description:
-      'The party who signs after the client (typically the marina developer or owner). Used as the static "developer" recipient in templated documents (EOI). Was hardcoded as "David Mizrahi" in the legacy single-tenant system.',
-    type: 'string',
-    placeholder: 'David Mizrahi',
-    defaultValue: '',
-  },
-  {
-    key: 'documenso_developer_email',
-    label: 'Developer signer — email',
-    description: 'Email used to send the developer signing request via Documenso.',
-    type: 'string',
-    placeholder: 'dm@portnimara.com',
-    defaultValue: '',
-  },
-  {
-    key: 'documenso_developer_label',
-    label: 'Developer signer — display label',
-    description:
-      'How the developer slot is referenced in email subjects + signer-progress UI copy. Defaults to "Developer" when blank.',
-    type: 'string',
-    placeholder: 'Developer',
-    defaultValue: '',
-  },
-  {
-    key: 'documenso_developer_user_id',
-    label: 'Developer signer — linked CRM user (optional)',
-    description:
-      "Project Director RBAC binding. When set, the webhook handler fires an in-CRM notification for this user when it's their turn to sign — alongside the branded email. Leave blank if the developer slot doesn't map to a CRM user (e.g. external developer). Use the user's UUID from /admin/users.",
-    type: 'string',
-    placeholder: '00000000-0000-0000-0000-000000000000',
-    defaultValue: '',
-  },
-  {
-    key: 'documenso_approver_name',
-    label: 'Approver — name',
-    description:
-      'The final approver who signs after the developer (typically a sales/legal lead). Was hardcoded as "Abbie May" in the legacy system.',
-    type: 'string',
-    placeholder: 'Abbie May',
-    defaultValue: '',
-  },
-  {
-    key: 'documenso_approver_email',
-    label: 'Approver — email',
-    description: 'Email used to route the final approval signing request.',
-    type: 'string',
-    placeholder: 'sales@portnimara.com',
-    defaultValue: '',
-  },
-  {
-    key: 'documenso_approver_label',
-    label: 'Approver — display label',
-    description:
-      'How the approver slot is referenced in email subjects + signer-progress UI copy. Defaults to "Approver" when blank.',
-    type: 'string',
-    placeholder: 'Approver',
-    defaultValue: '',
-  },
-  {
-    key: 'documenso_approver_user_id',
-    label: 'Approver — linked CRM user (optional)',
-    description:
-      "Same as developer's linked user — when set, fires an in-CRM notification when it's the approver's turn. Use the user's UUID from /admin/users.",
-    type: 'string',
-    placeholder: '00000000-0000-0000-0000-000000000000',
-    defaultValue: '',
-  },
-];
-
-const EOI_FIELDS: SettingFieldDef[] = [
-  {
-    key: 'documenso_eoi_template_id',
-    label: 'EOI Documenso template ID',
-    description: 'Numeric template ID used by the Documenso EOI pathway.',
-    type: 'string',
-    placeholder: '12345',
-    defaultValue: '',
-  },
-  {
-    key: 'eoi_default_pathway',
-    label: 'Default EOI pathway',
-    description:
-      'Which pathway is used when an EOI is generated without an explicit choice. Documenso = signed via Documenso, In-app = filled locally with pdf-lib.',
-    type: 'select',
-    options: [
-      { value: 'documenso-template', label: 'Documenso template' },
-      { value: 'inapp', label: 'In-app (pdf-lib)' },
-    ],
-    defaultValue: 'documenso-template',
-  },
-  {
-    key: 'eoi_send_mode',
-    label: 'Initial signing-invitation email behaviour',
-    description:
-      'Auto = the system sends our branded "please sign" email immediately when an EOI/contract/reservation is generated. Manual = the document is generated and the signing URL appears in the UI; a rep clicks "Send invitation" to dispatch. Auto is the lower-friction option for high-volume teams; manual lets reps review before sending. Applies to all document types, not just EOI.',
-    type: 'select',
-    options: [
-      { value: 'manual', label: 'Manual (rep clicks Send after generation)' },
-      { value: 'auto', label: 'Auto (send branded email on generate)' },
-    ],
-    defaultValue: 'manual',
-  },
-];
+// API_FIELDS removed — replaced by <RegistryDrivenForm sections={['documenso.api']} />
+// which adds the new webhook-secret field + AES encrypts the API key at rest.
 
 const CONTRACT_RESERVATION_FIELDS: SettingFieldDef[] = [
   {
@@ -168,30 +35,22 @@ const CONTRACT_RESERVATION_FIELDS: SettingFieldDef[] = [
   },
 ];
 
-const EMBED_FIELDS: SettingFieldDef[] = [
-  {
-    key: 'embedded_signing_host',
-    label: 'Embedded signing host',
-    description:
-      "Origin of the public site that hosts the embedded Documenso signing pages. Outbound emails wrap raw Documenso signing URLs into {host}/sign/<type>/<token> so clients sign on your branded page rather than Documenso's domain. Leave blank to fall back to the app URL. Marketing-website pattern: https://portnimara.com",
-    type: 'string',
-    placeholder: 'https://portnimara.com',
-    defaultValue: '',
-  },
-];
+// Embedded signing field config + Test + Setup help all live inside
+// `<EmbeddedSigningCard />` (imported above). Kept out of the field list
+// here so the admin page reads as a flat sequence of cards.
 
 const V2_FEATURE_FIELDS: SettingFieldDef[] = [
   {
     key: 'documenso_signing_order',
     label: 'Signing order',
     description:
-      'PARALLEL = recipients can sign in any order (faster, current default). SEQUENTIAL = Documenso refuses to email recipient N+1 until recipient N has signed, enforcing client → developer → approver order on EOIs. Only applies when API version above is v2 — v1 instances ignore this and always behave as PARALLEL.',
+      'Whether all signers receive the invitation at once (PARALLEL — anyone can sign first) or only the next pending signer gets the email once the previous one finishes (SEQUENTIAL). Applied at envelope-create time on both v1 and v2: v1 honours meta.signingOrder on /templates/{id}/generate-document; v2 honours it via /envelope/update right after /template/use.',
     type: 'select',
     options: [
-      { value: '', label: 'PARALLEL (default)' },
-      { value: 'SEQUENTIAL', label: 'SEQUENTIAL — enforce signing order (v2 only)' },
+      { value: 'PARALLEL', label: 'PARALLEL — all signers invited at once' },
+      { value: 'SEQUENTIAL', label: 'SEQUENTIAL — one at a time in order' },
     ],
-    defaultValue: '',
+    defaultValue: 'PARALLEL',
   },
   {
     key: 'documenso_redirect_url',
@@ -369,10 +228,10 @@ export default function DocumensoSettingsPage() {
         </CardContent>
       </Card>
 
-      <SettingsFormCard
+      <RegistryDrivenForm
         title="Documenso API"
-        description="Per-port API credentials. Leave blank to use the global env defaults."
-        fields={API_FIELDS}
+        description="Per-port API credentials. AES-encrypted at rest. Leave blank to inherit from the env fallback (badged below each field)."
+        sections={['documenso.api']}
         extra={<DocumensoTestButton />}
       />
 
@@ -382,16 +241,17 @@ export default function DocumensoSettingsPage() {
         fields={V2_FEATURE_FIELDS}
       />
 
-      <SettingsFormCard
+      <RegistryDrivenForm
+        sections={['documenso.signers']}
         title="Signers (developer + approver)"
-        description="Identity of the static signers in your Documenso templates. The client is always pulled from the interest's linked client record; these values fill the developer (signing order 2) and approver (signing order 3) slots."
-        fields={SIGNER_FIELDS}
+        description="Identity bound to the developer (signing order 2) and approver (signing order 3) slots in your Documenso templates. Leave name + email blank to fall through to whatever you set on the Documenso template itself; set them here to override the template's stored values at send time. Recipient IDs are populated automatically by 'Sync from Documenso' below. Linking a CRM user is optional — when set, the platform fires an in-CRM notification for that user when it's their turn to sign."
       />
 
-      <SettingsFormCard
+      <RegistryDrivenForm
+        sections={['documenso.templates']}
         title="EOI generation"
-        description="Default pathway, template, and email behaviour when an interest's EOI is generated."
-        fields={EOI_FIELDS}
+        description="Default pathway, template, and email behaviour when an interest's EOI is generated. Recipient + field discovery happens via 'Sync from Documenso' below — that also populates the template ID for you."
+        extra={<TemplateSyncButton />}
       />
 
       <SettingsFormCard
@@ -400,11 +260,7 @@ export default function DocumensoSettingsPage() {
         fields={CONTRACT_RESERVATION_FIELDS}
       />
 
-      <SettingsFormCard
-        title="Embedded signing"
-        description="Where the public-facing branded signing pages live. The CRM rewrites Documenso signing URLs to point here when sending invitation and reminder emails."
-        fields={EMBED_FIELDS}
-      />
+      <EmbeddedSigningCard />
     </div>
   );
 }